Three men are facing federal fraud charges for allegedly raking in more than US$100 million while running an illegal “scareware” business that tricked victims into installing bogus software.

Two of the men, Bjorn Sundin and Shaileshkumar Jain, operated an antivirus company called Innovative Marketing, which sold products such as WinFixer, Antivirus 2008, Malware Alarm and VirusRemover 2008.

The third man charged, James Reno, ran Byte Hosting Internet Services, the company that operated Innovative Marketing’s call centers

.

The company’s products generated so many consumer complaints that the FTC brought a civil action against Innovative Marketing and Byte Hosting in 2008, effectively putting them out of business.

On Wednesday, a grand jury in Chicago handed down the criminal charges, meaning the three men now face jail time if convicted.

Reno is expected to turn himself in for arraignment, the U.S. Department of Justice said in a press release Thursday. Authorities believe that Jain and Sundin are living in Ukraine and Sweden, respectively.

In a September 2009 e-mail to the IDG News Service, Reno said he was a young and naïve businessmen who was taken advantage of by Innovative Marketing. “I made some mistakes, of course,” he said, “however they kept us in the dark on a lot of their operation.”

According to prosecutors, Innovative Marketing set up fictitious advertising agencies that would buy online inventory from media companies.

They then pushed out ads with hidden computer code that generated scary-looking pop-up messages, designed to look like operating system errors or antivirus scans.

The end result was always the same. To get rid of the pop-up warnings, users would have to buy Innovative Marketing’s worthless software, prosecutors allege.

Byte Hosting’s call centers were then used to “deflect complaints from victims who purchased Innovative Marketing software products,” the Department of Justice (DoJ) said.

The scheme convinced victims in more than 60 countries to buy more than 1 million bogus programs, the DoJ said.

Exploiting tragedy

Perpetrators of scareware scams have plenty of tricks up their sleeve to con or coerce users into buying their fake anti-virus software.

Quite often they take advantage of major events to achieve their nefarious ends.

For instance, hackers exploited the tragic plane crash killing Poland’s president and other military and civil society leaders on April 10 by flooding search engine results with links to fake anti-virus software.

In April, Polish President Lech Kaczyinski and 91 other dignitaries were killed when their Soviet-era model Typolev Tu-154 plane crashed in Russia while attempting to land in a heavy fog.

A Google search of “Tu-154” resulted in several pages of links that pointed to the same rogue antivirus software, ITBusiness.ca discovered.

Gary Warner, a computer forensics expert at the University of Alabama at Birmingham conducted an analysis of the malware. Most antivirus scanners were unable to detect the malware masquerading as security software. The identity of the person who registered the sites was associated with more than 1,800 domains linked to similar scams.

“We went four pages deep on Google and 36 out of 40 results were malware,” Warner says. “That’s the kind of smack that gets people’s eyes to open up.”

Clicking on the links brings the user to a page that appears to run a virus scan. It warns the user they are infected and asks for credit card information to buy fake antivirus software that will remove it. In reality, criminals steal the credit card information and load the user’s system with malware designed to steal even more personal information.

The malware eventually changes Windows HOSTS file to redirect major search engines, including Google, Bing and Yahoo to a hacker network. Other online payment services and Google’s safebrowsing service are also redirected.

“Symantec, Sophos, McAfee, and Microsoft are not detecting this as malware at this time,” Warner notes. “In almost any corporation, there’s going to be a small number of people affected.”

Rogue security software, or scareware, is fraudulent security software that often convinces users to hand over payment information for bogus software after orchestrating a fake infection.

Upon agreeing to buy the software, users are usually infected with malware that scours for more personal details that can be sold on the black market, according to a Symantec Corp. report released June 2009.

There are more than 250 distinct varieties of rogue security software on the Web and its purveyors are raking in the cash. Pushers for one piece of malware were paid an average of $23,000 per week.

“When you’re looking at pure signature-based detection, you have to have a more known threat” for it to work, says Marc Fossi, executive editor of Symantec’s Internet Security Threat Report. “That’s why we have reputation-based security.”

Rogue anti-virus attacks are prevalent and typically make use of popular news headlines to gain traction with search engines, he adds. Google and other search engines have been playing a cat-and-mouse game with hackers to stop malicious results from showing up.

Many of the infected sites under the “Tu-154” search are labelled with a warning – “This site may harm your computer.” But not all of them.

“They’re poisoning all of the top news headlines all of the time,” Warner says. “Especially when the term in the news headline doesn’t see a lot of traction normally.”

The hacker used a PHP script to comb through Google News and other similar sites to pull out headlines and build a malicious Web page for each of the top stories, he adds. Similar attacks were successful for events such as Michael Jackson’s death and the Beijing Olympics.

“When the stars align, his pages dominate Google and it’s extremely likely that someone is going to get infected by him,” Warner says.

The domains associated with the Tu-154 attack are registered to Garritt Kooken of the Netherlands. The e-mail address is listed as gkook@checkjemail.nl and the phone number at +86-592257788, a China area code. The same registration information has been used for more than 1,800 domains conducting malicious activity.

Hackers use automated tools to register mass amounts of domains, Fossi says. “We’ll see them register a bunch of domains at one time and go live right after.”

The method allows the hackers to avoid getting blacklisted or shutdown. As soon as one domain is closed, another can be opened to serve the same malware.